Joe Abley via dns-operations <[email protected]> writes: > > If this was indeed an attack, then any information published on > > 'status.denic.de' cannot be fully trusted. > > This had crossed my mind, too. Not to mention it would have been handy > in this instance if using the status page didn't depend on signatures > that were not possible to validate.
I wonder if something like _dnssecstatus.ZONE TXT "ok" that was signed by the KSK would be helpful... Something that would be the easiest to sign quickly in a failure case of anything else in the zone, including ZSK issues. It won't help in KSK issues or DS issues though. And it seems crazy in the first place, but there you go: my thoughts live. -- Wes Hardaker Google _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
